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1. INTRODUCTION 

Security is an important aspect of information especially in those environments where information is 
sensitive and private, such as in healthcare systems. When health information is shared between people and 
their healthcare professionals, it can help with diagnosis and self-care, making health information systems 
(HIS) more useful. By giving health experts, patients, administrators, and developers a way to collaborate 
and communicate with one another, cloud computing improves the quality of healthcare services. On the 
other side, when cloud resources and services are made available to the general public, it is referred to as an 
untrusted cloud environment. As a result, security issues have become extremely essential in HIS and 
consider one of the most significant risks HIS faces. In 2018, HIS continues to be a common target for 
ransomware, crypto mining, data theft, phishing, and insider threats [1], [2]. 

In HIS, to ensure the preservation of sensitive and important patient data, security and privacy are 
crucial components. Privacy refers to safeguarding data against use and access by unauthorized parties, 
whereas security refers to maintaining data confidentiality during its transport, storage, gathering, and 
processing [3], [4]. Authentication is a crucial defense against unauthorized access to HIS and sensitive 
patient. Initially, a single factor was used for objects authentication and at that time, this type of 
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authentication was often utilized due to its ease of use and simplicity [5], [6]. The use of a password 
(or a personal identification number (PIN)) to verify the ownership of the user ID was the most common 
example of single factor authentication (SFA) and clearly is the weakest level of authentication for many 
reasons, for example, sharing the password can cause compromising the account immediately in addition to 
that, an unauthorized user can attempt to gain access by utilizing some type of known attacks like a 
dictionary attack, rainbow table or social engineering techniques [7]-[9]. As a second step forward, 
two-factor authentication (2FA) [10], [11] was proposed that combines the username/password combination 
with another factor which could come from one of the following categories: i) knowledge factor: something 
you know, this could be a PIN, a password, answers to “secret questions” or a specific keystroke pattern, 
ii) ownership factor: something you have, like a credit card, a smartphone, or a small hardware token, and 
iii) biometric factor: something you are, like biometric data or behavior pattern. 

As a third step forward, multi-factor authentication (MFA) was proposed to provide advanced level 
security and protection of computing devices and key services from illegal access by using more than two factors 
of credentials [12], [13]. Authentication in HIS has included many schemes that were proposed by researchers in 
the past years using 2FA or MFA, most of which were dealing with known security problems like man-in-the- 
middle (MITM) attack, replay attack and impersonation attack and working to increase resistance against them. 
However, many of these schemes still contain security holes that can be exploited by attackers [14], [15]. Over the 
years, a number of research papers have been published in the healthcare sector to enhance the security and privacy 
of patients. Various smart healthcare systems are proposed for that but many security problems exist in these 
systems especially those based on passwords as the main authentication factor [16]. A number of important 
vulnerabilities of password building for smart healthcare are shown in [17] and present a password strength 
evaluation method. These vulnerabilities include password reuse and building passwords based on personal 
information. As a result, such passwords can easily be an easy target for some known attaches like dictionary 
attacks. On the other hand, several password authentication techniques based on the smart card for telecare medical 
information systems (TMIS) have been proposed. For instance in 2018, Radhakrishnan and Karuppiah [18] show 
that Lee [19] technique is still vulnerable to offline password guessing and forgery attacks and that it is also unable 
to provide forward secrecy, user anonymity and mutual authentication. 

Karthigaiveni and Indrani [20] proposed a 2FA scheme with key agreement using elliptic curve 
cryptography (ECC) with a smart card and password. Radhakrishnan and Muniyandi [21] show that 
Karthigaiveni and Indrani [20] scheme has security flaws such as offline password guessing attack and user 
anonymity. They proposed a 2FA scheme that uses ECC with smart cards, effective, secure, and overcomes 
security vulnerabilities. Their proposed scheme safeguards user privacy by enabling registered users to 
change their passwords without disclosing their identities to the server. Beside using the smart card, using 
biometrics in the healthcare environment has made it possible to determine the identity of patients in a new 
way. So, another authentication schemes based on biometric factors in healthcare systems have been 
proposed. Azeta et al. [22] developed a HIMS with fingerprint biometrics and password/pin as the main 
factors for authentication. The HIMS is called CareMed HIMS and a combination of technologies such as 
UML, biometrics, data management and computer programming have been used to develop the system. 
Mohammedi et al. [23] proposed a lightweight biometric-based authentication scheme for mobile healthcare 
environments. The suggested scheme converts the patient biometric data to ECC-based keys so there is no 
need to save or communicate the patient’s biometric template. The researchers show that in the context of 
RFID authentication protocols, their scheme is resistant to well-known attacks. 

Adeli et al. [24] made a detailed analysis of the scheme in [23] and show that the proposed protocol 
is vulnerable to some known attacks like MITM attack and they also demonstrate that the protocol does not 
provide some important security feathers like anonymity, forward secrecy and untraceability. To overcome 
these weaknesses, they proposed an improved protocol that employs only elliptic curve scalar multiplication 
for both the reader and the tag. They show that their proposed scheme can withstand known attacks like 
MITM attack and requires 50% less communication cost and 23% less computation time than the 
Mohammedi et al. [23] scheme. Mason et al. [25] provide an advanced technique for securely identifying 
patients. They suggested a technique for patient authentication that combines the use of periocular biometrics 
with the electronic master patient index in healthcare information systems. Some security concerns that 
should be taken into consideration have been discussed in [26], [27] when designing and implementing the 
biometric system. Some of these security concerns are identified as the following: 

- Hacking risk, as the use of biometrics increases, our biometric information can be available in more than 
one place where we may not find the same level of protection. 

- Biometrics might be used so frequently. People may believe that biometrics will address all security 
issues, thus they may not take the kind of common sense security precautions that are necessary. 

- Biometric databases are one type of database that may be more vulnerable than others where you can 
change your password but you can’t change any of your biometrics parameters. 
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In this paper, we proposed a two factors authentication scheme that has several security features like user 
privacy, anonymity of verification parameters, non-linkability, confidentiality, forward secrecy, and mutual 
authentication. The proposed scheme is based on a random vector of shared image points as a second 
authentication factor in order to provide a safe and secure authentication protocol that resists most of the 
known security attacks. 


2. THE PROPOSED SCHEME 

In this section, we present an authentication scheme based on using a random vector of points that 
will be extracted from an image to achieve the required authentication in the healthcare environment. The 
proposed scheme has three main elements: user (U,), admin (4;), and cloud server (CS). User represents the 
patient and the admin represents doctors and healthcare systems employees who have the privilege of reading 
and writing of patients records. According to that, we covered two types of authentication that can be applied 
in healthcare systems, user-cloud server authentication and admin-cloud server authentication. The first type 
of authentication consists of three phases: user setup/registration phase, user login phase and user 
authentication phase. The second type of authentication also consists of three phases: admin 
setup/registration phase, admin login phase, and admin authentication phase. The use of shared image points 
vector in the proposed scheme will be applied to admin-cloud server authentication part as it should be more 
secure according to the type of privileges that will be given to admin after allowing access to the system. The 
characters used in the current work have conversed in Table 1. 


Table 1. The characters used in the proposed protocol 


Symbol Description 
U; A legitimate user U; 
Aj A legitimate administrator A; 
CS A trustworthy cloud server 


Imga,>1M9gcs, 


Shared private images for both administrator and cloud 
server 


SKa; Shared private key between use U; and CS 

SKa, Shared private key between administrator A; and CS 

ID, Identity of user U; 

PW, Password of user U; 

h(PW,,) Hashed password of user U; 

indexi Index of secret sequence term on user side 

indeXcsi Index of secret sequence term on cloud server side 

index; Index of secret sequence term on admin side 

S€Q index; A term in generated secret sequence at position equal to index 
ENCsx,,; Symmetric encryption function based on key SK, 

ENCsx 4; Symmetric encryption function based on key SK4, 

DECsx,,; Symmetric decryption function based on key SK, 

DECsx 4; Symmetric decryption function based on key SK4, 

Pi, P';, Ni, N'i, N";, E; | Other miscellaneous values that are applied in the verification 
V; Vector of random points selected from Img,, 

Voos; Positions of random points in V; 


hi.) A cryptography one-way hash function 
Il The concatenation operation 


2.1. User registration phase 
The user (patient) must register in the cloud server CS to use this network healthcare system using 


the steps. Step 1: the user selects an identity /D,,, and a password PW, then computes the hash value of the 
selected password h(PW,,)using hash function h. User sends registration request message 
My, = UDy,, h(/PW,,)) to CS through a secure channel. User and CS will use the same secret sequential and set 
index,; = 0. Step 2: the cloud server CS checks if an account with /D,, exists or not. If not, it stores the 


user’s information and set indexcs; = 0. A secret sequential generation rule will be given to each user. 


2.2. User login and authentication phase 
Step 1: the user input the identity /D,,, and the password PW,,, then generate the term Seqingex,,, and set 


index, ;=index„;+1. After that, user computes P; = h(PW,,) || h(Seqinaex,,) and sends (JD,,,, P;) through a 
public channel. Step 2: the cloud server CS checks if an account with /D,,, exists or not, if it exist, then CS 
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generates Seqindexcs; and set indexcs;=indexcs;+/ then it computes Pi, = h(PW,,) || A(Sedindexes;) and 
verifies that P’; = P;, if yes then the CS log in the user to the system. Otherwise, CS rejects user login. 


2.3. Admin registration phase 

Before admin (a doctor or healthcare system’s employee) registration. A third party should generate 
and distribute the following items for both admin and cloud server: i) an image Img with dimensions (nxn), 
ii) a symmetric secret key SK, and iii) a secret sequential generation rule. After that, admin can register in the 
cloud server CS using the following steps: step 1: the admin select an identity /D,, and a password PW,, then 


compute the hash value of the selected password h(PW,,) using hash function h. Admin sends registration 
request message M,, = (ID,,, h(PW,,)) to CS through a secure channel. Like user registration phase, admin 


and CS should also use the same secret sequential and set index,; = 0. Step 2: the cloud server CS checks if 
an account with /D,, exists or not, if not it stores admin’s information and set indexcs; = 0. 


2.4. Admin login and authentication phase 

Step 1: the admin inputs the identity /D,, and the password PW,, then generate the term Sedindex,; 
and sets index,;=index,;+/. After that, admin computes P; = h(PW,,) || h(Sedinaex,;) and sends login 
request message M,, = (ID,,,P; ) to CS through a public channel. Step 2: the cloud server CS checks if an 
account with /D,, exists or not, if it exists, then CS generates Seqingex,, and sets indexcs;=indexcgj +] 
then it computes P’; = h(PW,,) || h(Seqindexcs;) and verifies that P'; = P;, if yes then go to the next step. 
Otherwise, the CS discards the message and terminates the authentication process. Step 3: the cloud server 
CS generates a vector of random image points positions (x,y) within the range of image size Vpos; E Imgcs; 


where Vpos, = {(%1) Y1), (X2: Y2), ++» Xn» Yn)} so the CS now can extracts image points values as vector 
V; E€ Imgcs, and computes N; = h(V;). After that CS encrypts Vp,,, using the symmetric key SK and get 
Epos; = ENCsx ,;(Vpos;)- A message with Epos; and N; will be sent to admin. 

Step 4: the admin decrypt Epos; using symmetric key SK to get the vector of image points positions 
Vos = DECsx,,(Epos,) then admin uses these positions to extract image points values vector V'; form 
Imga, using V'pos,. After that admin compute N’; = h(V';) and verify that N’; = N;, if no then admin should 
terminate the session. Otherwise, the admin computes N”; = h( V'pos;) and generates new key 
SKa, = SKa; 8 Seinaex,,;- This new key will be used in the next login session. Now admin sends (N"; ) to 
CS. Step 5: in this step CS verifies that N”; = h( Vpos,), if yes then the CS log in the admin to the system and 
generates new key SKy, = SKa; Ð Seqinaexcs; to be used next login session. Otherwise, CS rejects admin 
login. Figures 1 and 2 show the phases of the proposed protocol for both user and admin. 


User Cloud Server (CS) 
User Setup / Registration Phase 


- Select IDy, , PWu, 
- Compute /(PW,,) 
- Agreed on secret sequence and set indexy; = 0 


IDy,,.(PW,,) 


> 


- Check if an account with /D,, exists or not 


- Set index¢s; = 0 


User Login Phase 
- Input IDy, , PW, 
- Generate Seqinaex,, and set index,;= indexy;+1 
- Compute P; = h(PW,,) || h(Sedinaex,,) 


(Dy, Pi) 


User Authentication Phase 


- Generate Seqingexc,, and set index¢s;= indexes;+1 
- Compute P'; = h(PW,,) Il ASedindexes,) 


9 
- Verify P'; =P; 


Figure 1. User registration, login, and authentication phases 
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P 


Admin | Cloud Server (CS) 
Admin Setup / Registration Phase 


Third Party 


Imga, - SKa, - Imges, » SKa; - 
Secret Sequential Generator Secret Sequential Generator 


- Select 1D4,, PWa, 
- Compute /(PW,,) 
- Set index,; = 0 for choosen secret sequence 


Ma, = (IDa,./(PWa,)) 


- Check if an account with /D,, exists or not 
- Set indexc¢s; = 0 for choosen secret sequence 


Admin Login Phase 
- Input IDa, . PWa, 
- Generate Seqinaex,, and set indexa; = index,;+1 
- Compute P; = h(PW,,) || ASedinaex,,) 


Ma, = (IDa; Pi) 


> 
Admin Mutual Authentication Phase 


- Generate Seqinaexc,, aNd set indexes;= indexes; +1 
- Compute P'; = h(PW4,) || h(Sedinaexcs,) 


4 

- Verify P'; =P; 

- Create a vector of random points positions 
Vros; E Imges, 
Veos, = Fa y) 2, ¥2), a Ons Yn} 

- Extract points values as vector V; 

- Compute N; = h(V;) 

- Encrypt Vpos; Epos, = ENCsx,,Veos,) 


(Epos, , N;) 
< 
- Decrypt Epos; > V’ Pos; =r DECsx,,(Epos,) 
- Extract V’; form Imga, using V'pos, 
- Compute N'; = h(V';) 
? 
- Verify N'; = N; 
- Compute N”; = hCV'pos,) 
- Generate new key SKa, = SKa, Ð Seqinaex,, 
( N" ) 


> 


9 
= Verify N" = h¢ Vpos,) 
- Generate new key SKa, = SKa, Ð Seqinaexcs, 


Figure 2. Admin registration, login, and mutual authentication phases 


3. ANALYSIS AND RESULTS 

In the following sub-sections we will perform two types of analysis on the proposed scheme. 
Security analysis against some significant known attacks and performance analysis in terms of computation 
cost and communication overhead. The analysis results will be discussed with a comparison with some 
related works. 


3.1. Security analysis 

In this section, two types of security analysis will be applied to the scheme suggested in this work. 
The first is informal security analysis and the second is formal security analysis. Both types of security 
analysis are explained in detail against some significant known security attacks and the analysis results 
showed good resistance to these attacks. 
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3.1.1. Informal security analysis 
In this section, we show some security features of the proposed scheme and its ability to resist 
famous attacks such as MITM, replay and impersonation attacks. 

a. User privacy: because the encrypted data supplied was computed using random numbers created from the 
images (Img,,, Imgcs,) and ( Vj, Vposp Pi, Ni), the values were untraceable and generated once for each 
login request for all components. Furthermore, attackers cannot use the shared keys (SK,,,5Kj,,) to 
identify the component's identity. 

b. Anonymity of verification parameters: when an administrator first begins registering in the system, he 
uses his primary parameters (identity (ID,, ), password (h(PW,,)), which are stored in the database of CS. 
After that, CS replies to Ai by providing him (/mgj,, SK4,). In the login and authentication phase, Ai uses 
anonymity parameters (P, N") generated once for each login 
(where P; = h(PW,4,)IIh(Seqinaex,,;)» N”; = h( V'pos;)). Assuming an attacker has the ability to access 
the main parameters (P;, N”;), the attacker cannot know the details (like shared key, shared image points) 
of A; or CS as these parameters have been saved in an anomalous way and they fail to use them again to 
login instead of A;. 

c. Non-linkability: the main parameters create different random numbers for each login request. On the 
administrator side, the variable parameters (Seqingex ap SCC aoe cn Vi V'i) have been generated in a 
secure manner, ensuring high level security and preserving privacy based on previous agreement between 
Ai and CS. The verification message (My, =UDu,, Pi )) of Ai that should be computed 
P',= h(PW,,) || A(Sedinaexes,) and then checked P’; = P;; if so, Ai sends a challenge (Epos, Ni) to CSi. 
Then, Ai checks the validity of CS by computing N’; = h( V'i) and comparing it with the value N;; if it 
matches, he sends N”; to CS as a second factor to ensure its validity of Ai. Thus, all response values 
(Pi P';,N;, N'i N”; ) are different, making it impossible for attackers to determine whether data was sent 
from the same component. 

d. Confidentiality: each secret key (SK,,,,SK,,) in the proposed scheme is shared with the cloud server's 
back-end database. If the users are not authorized, they cannot access the services and resources of the 
system because they do not have the secret keys. 

e. Perfect forward secrecy and key management: we highlight this feature because it ensures that an attacker 
will not compromise the session keys. The suggested method makes use of dynamic authentication 
credentials that are based on (Seqindex,;» Pi» Veos;,SKai, Ni), which continue to evolve during sessions in 
order to attain complete forward secrecy. Assume an attacker has the capacity to get the secret key SK,;, 
the adversary is still unable to obtain Vpos; and obtain a fresh key for a new login session 
SKa; = SKa; ® Sedinaex,,;- The reason for this is that the parameters (Sedindex,;> Pi Vposp SKav Ni) 
become outsourced after each successful session. Therefore, the proposed scheme provides this feature. 

f. Mutual authentication: to avoid adversaries, all parties should authenticate each other's identities before 
transmitting data. Our proposed scheme provides mutual authentication between ADM and CS. For each 
login process, both parties must verify the other's credibility through a set of steps mentioned in the 
authentication phase. In the administrator side, the mutual authentication has been applied as follows: 


ADM {ma,=(Da,Po } 
{EPos; Ni} 


ADM ——— CS 
{Nr} 
ADM — CS 
We notice that each part should be posse the main parameters (/D,,, P;, Epos Ni N” i Se maany ss 
Vposp SKai) to complete mutual authentication. Otherwise, the authentication will terminate. Therefore, our 
proposed work provides mutual authentication. 
g. MITM attack: in administrator side, we assume that the adversary A can obtain the exchanged messages 
{M,, = (Dap Pi) }, (Epos, Ni}, and {N" i} between ADM and CSP during login and authentication phases. 
A tries to change these messages and sends it to the legal party, these messages cannot exceed the 
verification step because A does not posse the real parameters (Pi, Sedindex,;» Vposp SKai)- 
h. Replay attack: in this type of attack, the adversary A tries to get the original message and re-send it more 
than once. Also, this type fails in our scheme due to the use of parameters (Pi, S€qinaex,;» Vpos,) besides 


using a symmetric encryption algorithm and OTP feature, which makes the secure messages and changing 
every time. 
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i. Impersonation attack: the server/user impersonation attack can be successful when the adversary A 
creates a valid P;, Seqindex,;»V pos; SKai, Ni and sends these parameters with Seqinaex,; However, this 


type of attack fails because [D,, should be shared with the original parameters P;, Sedindex 4; Vposp SKai- 


3.1.2. Formal security analysis using scyther tool 

The proposed authentication protocols for admin-CS are verified using the scyther verification tool 
to prove that our scheme is secure against significant attacks. Scyther has many useful features like 
unbounded verification, attack finding, and visualization, also it supports some other properties like secrecy, 
agreement, aliveness, and synchronization [28]-[30]. Figure 3 shows admin authentication protocol written 
in security protocol description language beside the scyther verification result. The verification result shows 
that our proposed protocol is secure against the significant attacks. 


Œ) Scyther results : verify x 


E] Scyther: Protocol1.spdl 


File Verify Help 

Protocol description Settings 
1 usertype pointsvector; 
2 usertype pointspositions; 


3 hashfunction H1; 
4 secret k:Function; 


5 

6 peras AuthProto (ADM,CS) 

VE 

role ADM 
{ 


const ID,PW,Seq : Nonce; 
11 const vec1 : pointsvector; 
12 var pos1 : pointspositions; 

13 send_1 (ADM,CS,ID,H1(PW),H1(Seq) 

14 recv_2 (Son ec), ost KOM. 


ao 


recy. TOM CS, 1D, APY) 1(Seq)); 

send_2 (CS,ADM,H1(vec1),{pos1}k(ADM,CS)); 
recy 3(ADM,CS,H1(pos 1); 
daim(CS,Secret,1D); 

daim(CS,Secret,PW); 

daim(CS,Secret,Seq); 

daim(CS,Secret,vect); 

daim(Cs Secret, pos 1); 

daim(Cs, 


daim(CS,Weakagree); 
daim(CS,Niagree); 
daim(CS,Nisynch); 


FESSFSESIQGRASSRESBBYRREESLESS 


i 


Figure 3. The proposed protocol in stochastic description process language (SPDL) with verification result 


3.2. Performance analysis 

In this section, we will provide the performance analysis of the proposed authentication protocol. 
The performance is evaluated in terms of computation cost and communication overhead. Our performance 
analysis includes comparisons with the performance of some other authentication schemes proposed for the 
same environment. 
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3.2.1. Computation cost 

The computation cost is referred to the time which was consumed in the phase of message 
generation and verification. Table 2 shows the related notations that will be used to evaluate the computation 
costs of the proposed protocol. The execution time of exclusive OR (@) operation is computationally 
negligible, therefore we ignored it. 

Since the login and authentication phase is the most important part of an authentication scheme, we 
focus on these phases and ignore the costs of the registration phase because it only runs a limited number of 
times in the initial stage of the proposed protocol. We compare the computation costs of the proposed scheme 
with four other authentication schemes designed for the same environment as our scheme [18], [31]—[33]. We 
depend on the measurements for computation cost in [34], [35] to evaluate the computation time for Trh, Ten 
and Tae while depend on our implementation to evaluate the cost of Txap and Tw. The average running time of 
each operation is listed in Table 3. In our comparison we will focus on the admin-CS protocol as our 
proposed scheme of using a shared image is applied between these two partners. The computation cost for 
each partner of the proposed protocol and the total cost are shown in Table 4. Table 5 shows the comparisons 
of the proposed scheme's computation cost with those of related schemes. The results show that our proposed 
scheme required time is less than some related works results and a little higher than others and this is because 
our scheme provides more security requirements than other schemes. 


Table 2. The related notations used in protocol evaluation 


Notation Execution time of the operation Notation Execution time of the operation 
Th One-way hash function h (-) Ey Extract image points values 
Tei Symmetric encryption algorithm AES Tsec Generate new term of sequential 
(128-bit key) 
Tae Decryption algorithm Trespo Modular exponent operation. Used in [18] scheme 
Tp Generate vector of random image Tom Executing a point multiplication operation. Used in 
points positions [33] scheme 


Table 3. The average running time of each operation 


Operation Running time (ms) Operation Running time (ms) 
Th 0.0023 Tp 0.058 
Len 0.0046 Tw 0.0055 
Tae 0.0046 


Table 4. The computation cost for each partner in the proposed protocol 
Partner Computation cost Partner Computation cost 
User 2Th Cloud server Tsect4 Ty t+T entT ep Try 
Admin  Tse+4Tr+Tae+Tw Total (for admin-CS) 27 sece+8TitTentTadet+Tipt2 Tr 


Table 5. Computation cost comparison with some related works 


Scheme Total cost Time needed (ms) 
Kaul et al. [31] 16 T,+26 T®+16 T||+1TDec+1TEnc ~0.046 
Hamed and Yassin [32] 5 Th+2 TEnc+5 T||+2T Dec =0.0299 
Radhakrishnan and Karuppiah [18] 1ST) +1 Tinexp z530 
Qiu et al. [33] 13 Ta+4 Tom =270.39 
Ours (for admin-CS) QT 5ect8TitTent+Tdet+Tpt+2 Tv ~0.0966 


3.2.2. Communication costs 

According to [35] and [36], we assume that the identity and hash digest for SHA-1 are each 160 bits. 
Consequently, it is possible to calculate the suggested protocol's communication costs for both user-CS 
communication and admin-CS communication as follows: for user-CS communication we have one message 
in login/authentication phase, (/D,,,P;) so it requires (160+160+160)=480 bits. For admin-CS 
communication we have three messages in login/authentication phase. 
- Message 1: (1D,,,P; ) requires (160+160+160)=480 bits 
- Message 2: (Epos; Ni) requires (128+160)=288 bits 
- Message 3: ( N”; ) requires 160 bits 

As a result, the overall communication cost is 480+288+160=928 bits. Table 6 shows the 
comparisons of the proposed scheme's communication cost with those of related schemes. The results 
indicate that our scheme has acceptable communication costs compared with other related schemes. 
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Table 6. Communication cost comparison with some related works 


Scheme Communication cost (bits) 
Kaul et al. [31] 768 
Hamed and Yassin [32] 608 
Radhakrishnan and Karuppiah [18] 1024 
Qiu et al. [33] 00 ene 
Ours (for admin-CS) 928 


4. CONCLUSION 

The protection of e-healthcare information systems from security and privacy breaches became a 
challenge. There have been a number of techniques for remote user authentication, each one has some 
advantages and disadvantages. Our proposed work presents a 2FA scheme based on using random points of 
the shared image to authenticate the connection between the admin (doctors or healthcare system’s 
employees) and the cloud server. The proposed scheme was analyzed informally and formally, the formal 
analysis shows that our scheme has several security features like user privacy, anonymity of verification 
parameters, non-linkability, confidentiality, forward secrecy, and mutual authentication. Formal analysis was 
made using scyther tool and the results obtained proved that the proposed scheme is safe and secure. We 
think that our research and analysis will be beneficial not only in healthcare environments but also in any 
place that needs to apply a secure authentication scheme. 
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